[Python-modules-team] Bug#962323: python-django: CVE-2020-13254 CVE-2020-13596
Chris Lamb
lamby at debian.org
Sun Jun 14 23:56:03 BST 2020
Chris Lamb wrote:
> I will wait a few days to see what upstream says. I will also have to
> re-release for jessie LTS, alas.
Okay, this is now fixed in the following versions (without and with
the regression fix):
Distribution Upload with regression Upload with regression fixed
========================================================================
jessie 1.7.11-1+deb8u9 1.7.11-1+deb8u10
stretch n/a 1:1.10.7-2+deb9u9 (pending)
buster n/a 1:1.11.29-1~deb10u1 (pending)
unstable 2:2.2.13-1 2:2.2.13-2
experimental 2:3.0.7-1 2:3.0.7-2
========================================================================
The two pending uploads (ie. needing your approval) to upload are:
python-django (1:1.10.7-2+deb9u9) stretch-security; urgency=high
* CVE-2020-13254: Potential a data leakage via malformed memcached keys.
In cases where a memcached backend does not perform key validation, passing
malformed cache keys could result in a key collision, and potential data
leakage. In order to avoid this vulnerability, key validation is added to
the memcached cache backends.
* CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget.
Query parameters to the admin ForeignKeyRawIdWidget were not properly URL
encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures
query parameters are correctly URL encoded.
-- Chris Lamb <lamby at debian.org> Sat, 13 Jun 2020 15:47:14 +0100
and
python-django (1:1.11.29-1~deb10u1) buster-security; urgency=high
* New upstream security release (postponed from March 2020):
- CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS
functions and aggregates on Oracle
Note that Django 1.11.x left upstream's extended security support on April
1st 2020. For more information, please see:
https://www.djangoproject.com/download/
* This upload also fixes the following security issues:
- CVE-2020-13254: Potential a data leakage via malformed memcached keys.
In cases where a memcached backend does not perform key validation,
passing malformed cache keys could result in a key collision, and
potential data leakage. In order to avoid this vulnerability, key
validation is added to the memcached cache backends.
- CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget.
Query parameters to the admin ForeignKeyRawIdWidget were not properly URL
encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures
query parameters are correctly URL encoded.
-- Chris Lamb <lamby at debian.org> Sun, 14 Jun 2020 12:15:26 +0100
The full debdiffs are attached. Can you especially check the
versioning scheme and distribution fields for me? I often get this
wrong and end up confusing myself. Really appreciated.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby at debian.org 🍥 chris-lamb.co.uk
`-
More information about the Python-modules-team
mailing list